//************************************************************************ // // dpmfntd.c : Dynamic Patch Module for NTDLL API family // // History: // 26-jan-02 cmjones created it. // //************************************************************************ #ifdef DBG unsigned long dwLogLevel = 0; #endif #include #include #include #include #include "dpmtbls.h" #include "dpmdbg.h" // include handy debug print macros #include "shimdb.h" BOOL DllInitProc(HMODULE hModule, DWORD Reason, PCONTEXT pContext); PFAMILY_TABLE DpmInitFamTable(PFAMILY_TABLE, HMODULE, PVOID, PVOID, LPWSTR, PDPMMODULESETS); void DpmDestroyFamTable(PFAMILY_TABLE pgDpmFamTbl, PFAMILY_TABLE pFT); #define GROW_HEAP_AS_NEEDED 0 HANDLE hHeap = NULL; DWORD dwTlsIndex; char szShimEngDll[] = "\\ShimEng.dll"; BOOL DllInitProc(HMODULE hModule, DWORD Reason, PCONTEXT pContext) { BOOL bRet = TRUE; UNREFERENCED_PARAMETER(hModule); UNREFERENCED_PARAMETER(pContext); switch(Reason) { case DLL_PROCESS_ATTACH: if((hHeap = HeapCreate(0, 4096, GROW_HEAP_AS_NEEDED)) == NULL) { DPMDBGPRN("NTVDM::DpmfNtd:Can't initialize heap!\n"); bRet = FALSE; } dwTlsIndex = TlsAlloc(); if(dwTlsIndex == TLS_OUT_OF_INDEXES) { DPMDBGPRN("NTVDM::DpmfNtd:Can't initialize TLS!\n"); bRet = FALSE; } break; case DLL_PROCESS_DETACH: if(hHeap) { HeapDestroy(hHeap); } TlsFree(dwTlsIndex); break; } return bRet; } PFAMILY_TABLE DpmInitFamTable(PFAMILY_TABLE pgDpmFamTbl, HMODULE hMod, PVOID hSdb, PVOID pSdbQuery, LPWSTR pwszAppFilePath, PDPMMODULESETS pModSet) { int i, numApis, len; PVOID lpdpmfn; PFAMILY_TABLE pFT = NULL; PVOID *pFN = NULL; PVOID *pShimTbl = NULL; PAPIDESC pApiDesc = NULL; VDMTABLE VdmTbl; char szShimEng[MAX_PATH]; HMODULE hModShimEng = NULL; LPFNSE_SHIMNTVDM lpShimNtvdm; DPMDBGPRN("NTVDM::DpmfNtd:Initialziing File I/O API tables\n"); // Get hooked API count from global table numApis = pgDpmFamTbl->numHookedAPIs; // Allocate a new family table pFT = (PFAMILY_TABLE)HeapAlloc(hHeap, HEAP_ZERO_MEMORY, sizeof(FAMILY_TABLE)); if(!pFT) { DPMDBGPRN("NTVDM::DpmfNtd:DpmInit:malloc 1 failed\n"); goto ErrorExit; } // Allocate the shim dispatch table for this family in this task pShimTbl = (PVOID *)HeapAlloc(hHeap, HEAP_ZERO_MEMORY, numApis * sizeof(PVOID)); if(!pShimTbl) { DPMDBGPRN("NTVDM::DpmfNtd:DpmInit:malloc 2 failed\n"); goto ErrorExit; } pFT->pDpmShmTbls = pShimTbl; // Allocate an array of ptrs to hooked API's pFN = (PVOID *)HeapAlloc(hHeap, HEAP_ZERO_MEMORY, numApis * sizeof(PVOID)); if(!pFN) { DPMDBGPRN("NTVDM::DpmfNtd:DpmInit:malloc 3 failed\n"); goto ErrorExit; } pFT->pfn = pFN; pFT->numHookedAPIs = numApis; pFT->hMod = hMod; // Allocate a temp array of APIDESC structs to help attach shims pApiDesc = (PAPIDESC)HeapAlloc(hHeap, HEAP_ZERO_MEMORY, numApis * sizeof(APIDESC)); if(!pApiDesc) { DPMDBGPRN("NTVDM::DpmfNtd:DpmInit:malloc 4 failed\n"); goto ErrorExit; } VdmTbl.nApiCount = numApis; VdmTbl.ppfnOrig = pShimTbl; VdmTbl.pApiDesc = pApiDesc; // Fill in the family table with ptrs to the patch functions in this DLL. for(i = 0; i < numApis; i++) { // must start with 1 since EXPORT ordinals can't be == 0 lpdpmfn = (PVOID)GetProcAddress(hMod, (LPCSTR)MAKELONG(i+1, 0)); if(!lpdpmfn) { DPMDBGPRN("NTVDM::DpmfNtd:DpmInit:Unable to get proc address\n"); goto ErrorExit; } // save ptr to the real API in the shim table until it gets shimmed pShimTbl[i] = pgDpmFamTbl->pfn[i]; // relate the corresponding module and API name to the API function ptr pApiDesc[i].pszModule = (char *)pModSet->ApiModuleName; pApiDesc[i].pszApi = (char *)pModSet->ApiNames[i]; // save ptr to the patch function pFN[i] = lpdpmfn; } // Only do this if we need to attach the shim engine. GetSystemDirectory(szShimEng, MAX_PATH); strcat(szShimEng, szShimEngDll); hModShimEng = LoadLibrary(szShimEng); pFT->hModShimEng = hModShimEng; if(NULL == hModShimEng) { DPMDBGPRN("NTVDM::dpmfntd:DpmInit:ShimEng load failed\n"); goto ErrorExit; } lpShimNtvdm = (LPFNSE_SHIMNTVDM)GetProcAddress(hModShimEng, "SE_ShimNTVDM"); if(!lpShimNtvdm) { DPMDBGPRN("NTVDM::DpmfNtd:DpmInit:GetProcAddress failed\n"); goto ErrorExit; } // Patch the shim dispatch table with the shim function ptrs // If this fails we will stick with ptrs to the original API's (lpShimNtvdm)(pwszAppFilePath, hSdb, pSdbQuery, &VdmTbl); // Do this if you want dispatch directly to the shim functions // for(i = 0; i < numApis; i++) { // pFN[i] = pShimTbl[i]; // } // HeapFree(hHeap, 0, pShimTbl); // pFT->pDpmShmTbls = NULL; if(!TlsSetValue(dwTlsIndex, pFT)) { DPMDBGPRN("NTVDM::DpmfNtd:DpmInit:TLS set failed\n"); goto ErrorExit; } if(pApiDesc) { HeapFree(hHeap, 0, pApiDesc); } DPMDBGPRN1(" DpmfNtd:Returning File I/o API tables: %#lx\n",pFT); return(pFT); ErrorExit: DPMDBGPRN(" DpmfNtd:Init failed: Returning NULL\n"); DpmDestroyFamTable(pgDpmFamTbl, pFT); if(pApiDesc) { HeapFree(hHeap, 0, pApiDesc); } return(NULL); } void DpmDestroyFamTable(PFAMILY_TABLE pgDpmFamTbl, PFAMILY_TABLE pFT) { PVDM_TIB pVdmTib; PVOID *pShimTbl; LPFNSE_REMOVENTVDM lpfnSE_RemoveNtvdmTask = NULL; DPMDBGPRN("NTVDM::DpmfNtd:Destroying NTDLL API tables for task\n"); // if this task is using the global table for this family, nothing to do if(!pFT || pFT == pgDpmFamTbl) return; pShimTbl = pFT->pDpmShmTbls; if(pShimTbl) { HeapFree(hHeap, 0, pShimTbl); } if(pFT->pfn) { HeapFree(hHeap, 0, pFT->pfn); } // See if the shim engine is attached & detach it if(pFT->hModShimEng) { lpfnSE_RemoveNtvdmTask = (LPFNSE_REMOVENTVDM)GetProcAddress(pFT->hModShimEng, "SE_RemoveNTVDMTask"); if(lpfnSE_RemoveNtvdmTask) { (lpfnSE_RemoveNtvdmTask)(NtCurrentTeb()->ClientId.UniqueThread); } FreeLibrary(pFT->hModShimEng); } HeapFree(hHeap, 0, pFT); } // ^^^^^^^^^^ All the above should be in every DPM module. ^^^^^^^^^^^^ // vvvvvvvvvv Define module specific stuff below. vvvvvvvvvvvv DWORD dpmNtOpenFile(PHANDLE FileHandle, ACCESS_MASK DesiredAccess, POBJECT_ATTRIBUTES ObjectAttributes, PIO_STATUS_BLOCK IoStatusBlock, ULONG ShareAccess, ULONG OpenOptions) { PFAMILY_TABLE pFT = (PFAMILY_TABLE)TlsGetValue(dwTlsIndex); DWORD ret = 0; DPMDBGPRN("NtOpenFile: "); ret = SHM_NtOpenFile(FileHandle, DesiredAccess, ObjectAttributes, IoStatusBlock, ShareAccess, OpenOptions); DPMDBGPRN1(" -> %#lx\n", ret); return(ret); } DWORD dpmNtQueryDirectoryFile(HANDLE FileHandle, HANDLE Event OPTIONAL, PIO_APC_ROUTINE ApcRoutine OPTIONAL, PVOID ApcContext OPTIONAL, PIO_STATUS_BLOCK IoStatusBlock, PVOID FileInformation, ULONG Length, FILE_INFORMATION_CLASS FileInformationClass, BOOLEAN ReturnSingleEntry, PUNICODE_STRING FileName OPTIONAL, BOOLEAN RestartScan) { PFAMILY_TABLE pFT = (PFAMILY_TABLE)TlsGetValue(dwTlsIndex); DWORD ret = 0; DPMDBGPRN("NtQueryDirectoryFile: "); ret = SHM_NtQueryDirectoryFile(FileHandle, Event, ApcRoutine, ApcContext, IoStatusBlock, FileInformation, Length, FileInformationClass, ReturnSingleEntry, FileName, RestartScan); DPMDBGPRN1(" -> %#lx\n", ret); return(ret); } DWORD dpmRtlGetFullPathName_U(PCWSTR lpFileName, ULONG nBufferLength, PWSTR lpBuffer, PWSTR *lpFilePart) { PFAMILY_TABLE pFT = (PFAMILY_TABLE)TlsGetValue(dwTlsIndex); DWORD ret = 0; DPMDBGPRN("RtlGetFullPathName_U: "); ret = SHM_RtlGetFullPathName_U(lpFileName, nBufferLength, lpBuffer, lpFilePart); DPMDBGPRN1(" -> %#lx\n", ret); return(ret); } DWORD dpmRtlGetCurrentDirectory_U(ULONG nBufferLength, PWSTR lpBuffer) { PFAMILY_TABLE pFT = (PFAMILY_TABLE)TlsGetValue(dwTlsIndex); DWORD ret = 0; DPMDBGPRN("RtlGetCurrentDirectory_U: "); ret = SHM_RtlGetCurrentDirectory_U(nBufferLength, lpBuffer); DPMDBGPRN1(" -> %#lx\n", ret); return(ret); } NTSTATUS dpmRtlSetCurrentDirectory_U(PUNICODE_STRING PathName) { PFAMILY_TABLE pFT = (PFAMILY_TABLE)TlsGetValue(dwTlsIndex); NTSTATUS ret = 0; DPMDBGPRN("RtlSetCurrentDirectory_U: "); ret = SHM_RtlSetCurrentDirectory_U(PathName); DPMDBGPRN1(" -> %#lx\n", ret); return(ret); } DWORD dpmNtVdmControl(VDMSERVICECLASS vdmClass, PVOID pInfo) { PFAMILY_TABLE pFT = (PFAMILY_TABLE)TlsGetValue(dwTlsIndex); NTSTATUS ret = 0; DPMDBGPRN("NtVdmControl: "); ret = SHM_NtVdmControl(vdmClass, pInfo); DPMDBGPRN1(" -> %#lx\n", ret); return(ret); }